Setup

  • ADDS & ADCS on one 2012R2 server
  • ADFS 2012 R2 Server
  • WAP 2012 R2 Server
  • IIS 2012R2 server
  • Demo sample Application http://aka.ms/sampapp

Steps

1. Webconfig

Update sampapp webconfig file with your ADFS token signing cert thumbprint

2. RP trust

Create a Sampapp relying party trust at ADFS

3. Auth

Go to ADFS secondary Auth and configure Cert Auth as "Secondary" Auth

4. Login

Login any client machine and request normal "User" cert from your internal CA

5. Port

You need to check port 49443 is enabled on firewall between client to WAP. 

Ref. https://technet.microsoft.com/en-us/library/dn554247.aspx?f=255&MSPPError=-2147217396

Now, internal cert auth works fine, if the certificate doesn't have "http" endpoints in AIA/CDP distribution path over LDAP.

External if you try to use internal cert via WAP at this point. it will fail and you won't see any error at ADFS Either.

Reason: your internal cert may have CRL\AIA path as 'ldap'. This wont work at WAP end if it not a domain joined

Either :you can reissue the cert with 'http' path to work over external or disable revocation (at step 6) which is less recommended 

 If you wanna know more, Go to WAP server and do below logging, Else jump to step 6.

You can enable CAPI2 Logging and you would see Revocation of client certificate must be failing at WAP and WAP would reset the connection at port 49443

6. Disable revocation checking on port 49443 at the WAP server

Disable this via netsh http show sslcert


Hostname:port  : sts.naveerap.msftonlinerepro.com:49443
Certificate Hash  : 36a06b1af35a389a04398f985765932b009dab98
Application ID  : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name  : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check  : Enabled
Revocation Freshness Time  : 0
URL Retrieval Timeout  : 0
Ctl Identifier  : (null)
Ctl Store Name  : (null)
DS Mapper Usage  : Disabled
Negotiate Client Certificate : Enabled
Reject Connections  : Disabled

Delete the endpoint


netsh http>delete sslcert hostnameport=sts.naveerap.msftonlinerepro.com:49443
SSL Certificate successfully deleted

Re-add the endpoint with verifyclientcertrevocation=Disable


PS C:\Users\nagaCSC.baz> netsh
netsh>http
netsh http>add sslcert hostnameport=localhost:49443 certhash=36a06b1af35a389a04398f985765932b009dab98 appid={5d89a20c-be
ab-4389-9447-324788eb944a} certstorename=MY clientcertnegotiation=Enable verifyclientcertrevocation=Disable
SSL Certificate successfully added

Now you should see in the output “netsh http show sslcert” as below on WAP server

Hostname:port  : localhost:49443
Certificate Hash  : 36a06b1af35a389a04398f985765932b009dab98
Application ID  : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name  : MY
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check  : Enabled
Revocation Freshness Time  : 0
URL Retrieval Timeout   : 0
Ctl Identifier  : (null)
Ctl Store Name  : (null)
DS Mapper Usage  : Disabled
Negotiate Client Certificate : Enabled
Reject Connections  : Disabled

Uou are all set,  It should work with your internal cert via WAP. you see cert passed via port 49443

Fiddler Sample

Do check out Sample Fiddler in this and check out packet number "24" , Both Request and Response. you see the cert negotiated fine

Still need a help, reach with your case number to Microsoft.Happy to help you.

PS: If you want to have Non-domain joined windows or Mobile devices. you need to have export with private key of user cert and import on the devices.